AWS Authentication Mechanisms
In this course, we shall be looking at how AWS provides many different means of authentication.
- The different methods of authentication that can be implemented when using AWS
- The difference between username/password and Multi-factor authentication
- How to configure MFA authentication
- The process in which programmatic authentication is managed
- How IAM roles can be used to authenticate and authorize EC2 instances to access resources
- How Key Pairs are used to authenticate you to newly created EC2 instances
- The different options available with regards to federated authentication
- AWS Administrators
- Security Engineers
- Security Architects
- And anyone who is looking to increase their knowledge of security and authentication within AWS
You should have a basic understanding of AWS IAM and what the service is used for. It would also be advantageous if you had some basic hands-on experience of Amazon EC2, but it is not essential.
AWS allows you to access and manage AWS resources even if you don't have a user account within IAM through the use of identity federation. Put simply, identity federation allows users from identity providers, IDPs, which are external to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account. An example of an identity provider can be your own corporate Microsoft Active directory.
Federated access would then allow the users within it to access AWS. Other forms of identity providers can be any OpenID Connect Web Provider. Common examples of these are Facebook, Google, and Amazon. So, what does this mean? Well, this means that if you need users to access AWS resources that already have identities that fit into these categories, then you could allow access to your environment using these existing accounts, instead of setting up each of them with a new identity within AWS IAM, effectively allowing for a single sign-on solution.
As the vast majority of organizations today are using Microsoft Active Directory, this is an effective way of granting access to your AWS resources without going through the additional burden of creating IAM user accounts. As a part of the configuration process to implement federated authentication, a trust relationship between the identity provider and your AWS account must be established. AWS supports two types of identity providers, web identity federation and SAML 2.0 based federation.
Web identity federation allows authentication between AWS resources and any public OpenID Connect Provider, such as Facebook, Google, or Amazon. When it's set up and configured and access is requested by a user to an AWS resource, then the identity provider will exchange an authentication token for temporary authentication credentials. And these credentials are associated to an IAM Role with pre-configured permissions allowing authorized access to the resource as defined by that role. SAML 2.0 based federations can allow your existing Active Directory users to authenticate to your AWS resources, allowing for a single sign-on approach.
SAML stands for Security Assertion Markup Language, and allows for the exchange of security data, including authentication authorization tokens to take place between an identity provider and a service provider. In this case, the identity provider is Microsoft Active Directory service and the service provider is AWS.
To learn more about AWS Federation and SSO, please see your exiting course here. Also, if you're looking to provide a means of authentication to your mobile web applications, then please see our existing course which covers Amazon Cognito here. It explores Amazon Cognito and how it can be used to manage authentication and authorization to your applications. And starts with a general overview of Amazon Cognito and when to use it. It then moves on to user pools and identity pools, and how Cognito can be integrated with your mobile and web apps to sync your application's user data across various platforms.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.